Doug notes that security threats are becoming more difficult to detect.

“Fifteen years ago, cybersecurity breaches of SCADA [supervisory control and data acquisition] systems were not that big of an issue because every SCADA manufacture used different technology. Now there is more similarity across the systems, more people are experts, and wireless technology and the Internet have given hackers the ability to connect with computers halfway around the world.”

Putting together a cybersecurity program takes much work. It starts with creating a comprehensive SCADA cybersecurity plan and by understanding to what the SCADA system is connected.

“Evaluate and manage the elements connected to your SCADA system on a regular basis,” said Johnson. “Things get added on all the time, and even just connecting a thumb drive can cause a huge security risk.”

Part of the planning process is to identify gaps and vulnerabilities. Next is to create a defense plan:

…that specifies exactly what to do if a new threat is identified…

The article’s author highlights several resources to assist in this planning process:

“We think of security breaches as a bad guy with a truck full of explosives driving through the front gate, but security problems can also come from a disgruntled employee, an untrained employee, or a contractor that has access to the system. It can happen pretty close to home,” said Johnson.…As new employees replace those with years of experience, it is important to train them thoroughly on all SCADA security protocols, so that lack of knowledge doesn’t increase cyber threat risk.

Doug explains the importance of focused efforts and responsibility:

“The ones who do it best recognize that it is an ongoing effort, and it takes people making it a big part of their responsibly,” explained Johnson. “A water utility really needs someone whose job is to be responsible for cybersecurity, someone who understands that SCADA has its own security concerns.”

If there isn’t someone qualified or available at a utility to take responsibility for SCADA cybersecurity, utilities should consider turning to outside experts or consultants. More often SCADA security is becoming an outsourced job function, explained Johnson.